CN113472728A

CN113472728A - Communication method and device

Info

Publication number: CN113472728A
Application number: CN202010247679.XA
Authority: CN
Inventors: 刘禹轩
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2020-03-31
Filing date: 2020-03-31
Publication date: 2021-10-01
Anticipated expiration: 2040-03-31
Also published as: CN113472728B

Abstract

The embodiment of the application provides a communication method and a communication device, which are applied to a terminal, wherein the terminal is connected with a gateway, the gateway is connected with a cloud end, and the terminal acquires a card number of a built-in electronic card and generates a random string; the terminal generates encryption information by adopting the card number and the random string, and sends the encryption information to the cloud end through the gateway; the encryption information comprises identification information and key information; and the terminal is in encrypted communication with the cloud terminal through the gateway according to the identification information and the key information. Under the condition that secret key burning of the terminal is not needed, the safety of communication between the terminal and the cloud end is guaranteed.

Description

Communication method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a communication method and a communication apparatus.

Background

The directional basic network is a network different from the public network of an operator, and the greatest difference is that the data of the user network flows through a network platform in a mode of a special network channel or a special line and the like. Namely, a virtual cellular network is built on the basis of a directional network, so that the access outlet data flow passes through a network platform, and the autonomous controllability of the network is realized to a certain extent.

The directional basic network is a precondition for a plurality of functions, including flow-free cloud uploading, machine-card binding, network speed control, access control, intelligent diagnosis, remote control, self-picking ticket, sub-application charging, sub-application control and the like; i.e., if there is no directional network, there is no subsequent network high-level capability. Items related to the high-level capability of the network belong to oriented network-based services, and the realization of the service items needs data communication.

In the prior art, in order to realize data security communication on a service, when a device registers at a cloud end, the cloud end generates verification information for the device, the verification information includes a device key, the generated verification information (including the device key) is burned into the device, and symmetric encryption is performed between the cloud end and the device through the device key to perform data transmission. The device needs to be registered in the cloud, so that more platform services are prevented from being used after the non-platform device is in the cloud, and burning errors are easy to occur in the process of burning the verification information (including the device key) into the device, for example, two devices burn the same device key.

Disclosure of Invention

In view of the above, embodiments of the present application are proposed to provide a communication method and a corresponding communication apparatus that overcome or at least partially solve the above problems.

In order to solve the above problem, an embodiment of the present application discloses a communication method, which is applied to a terminal, where the terminal is connected to a gateway, and the gateway is connected to a cloud, and the method includes:

the terminal acquires a card number of a built-in electronic card and generates a random string;

the terminal generates encryption information by adopting the card number and the random string, and sends the encryption information to the cloud end through the gateway; the encryption information comprises identification information and key information;

and the terminal is in encrypted communication with the cloud terminal through the gateway according to the identification information and the key information.

Optionally, the identification information includes first identification information, and the terminal generates the identification information by using the card number and the random string, including:

and the terminal adopts the card number and the random string as the first identification information.

Optionally, the identification information further includes second identification information, and the terminal generates the identification information, including:

the terminal acquires the own equipment number;

and the terminal generates the second identification information by adopting the equipment number.

Optionally, the terminal sends encryption information to the cloud through the gateway, including:

the terminal sends an access request to the cloud end through the gateway; the access request includes encryption information.

Optionally, the terminal performs encrypted communication with the cloud terminal through the gateway according to the identification information and the key information, and includes:

the terminal encrypts first data by adopting the key information; the first data includes the first identification information;

and the terminal sends the encrypted first data to the cloud terminal through the gateway.

the terminal receives second data sent by the cloud end through the gateway;

and the terminal decrypts the second data by adopting the key information.

The embodiment of the application also discloses a communication method, which is applied to a terminal, wherein the terminal is connected with a gateway, the gateway is connected with a cloud end, and the method comprises the following steps:

the terminal generates encryption information and sends the encryption information to the cloud end through the gateway; the encryption information comprises identification information and key information;

Optionally, the identification information includes first identification information, and the terminal generates encryption information, including:

the terminal acquires a card number of a built-in electronic card;

and the terminal generates the first identification information by adopting the card number.

Optionally, the generating, by the terminal, the first identification information by using the card number includes:

the terminal generates a random string;

Optionally, the identification information further includes second identification information, and the terminal generates encrypted information, including:

the terminal acquires the own equipment number;

the terminal receives second data sent by the cloud end through the gateway;

and the terminal decrypts the second data by adopting the key information.

The embodiment of the application further discloses a communication method, which is applied to a cloud end, wherein the cloud end is connected with a gateway, the gateway is connected with a terminal, and the method comprises the following steps:

the cloud end receives the encrypted information sent by the terminal through the gateway; the encryption information comprises identification information and key information, and the key information is generated by the terminal;

and the cloud end carries out encryption communication with the terminal through the gateway according to the identification information and the key information.

Optionally, the method further comprises:

and the cloud stores the identification information and the key information according to a key value pair form.

Optionally, the identification information includes first identification information and second identification information; the cloud stores the identification information and the key information according to a key-value pair form, and comprises the following steps:

the cloud end takes the first identification information as a key and takes the second identification information as a value to be stored to obtain a first key value pair;

and the cloud end uses the second identification information as a key and uses the key information as a value to store the key information to obtain a second key value pair.

Optionally, the cloud performs encrypted communication with the terminal through the gateway according to the identification information and the key information, and includes:

the cloud end receives first data sent by the terminal through the gateway; the first data comprises first identification information, and the first data is encrypted by the terminal by adopting key information;

the cloud searches second identification information corresponding to the first identification information from the first key value pair;

the cloud searches key information corresponding to the second identification information from the second key value pair;

and the cloud end decrypts the first data by adopting the key information corresponding to the second identification information.

the cloud searches key information corresponding to second identification information from the second key value pair;

the cloud end encrypts second data by adopting the key information;

and the cloud sends the encrypted second data to the terminal through the gateway.

Optionally, the identification information includes third identification information; the third identification information comprises a card number; the cloud stores the identification information and the key information according to a key-value pair form, and comprises the following steps:

and the cloud end stores the third identification information as a key and the key information as a value to obtain a third key value pair.

the cloud end receives first data sent by the terminal through the gateway; the first data comprises third identification information, and the first data is encrypted by the terminal by adopting key information;

the cloud searches key information corresponding to the third identification information from the third key value pair;

and the cloud end decrypts the first data by adopting the key information corresponding to the third identification information.

the cloud searches key information corresponding to third identification information from the third key value pair, and encrypts second data by adopting the key information;

Optionally, the cloud receives, through the gateway, encryption information sent by the terminal, including:

the cloud end receives an access request sent by the terminal through the gateway; the access request includes encryption information.

The embodiment of the application also discloses a communication device, is applied to the terminal, the terminal is connected with the gateway, the gateway is connected with the high in the clouds, the device includes:

the random string generating module is used for acquiring a card number of a built-in electronic card and generating a random string;

the encrypted information generating module is used for generating encrypted information by adopting the card number and the random string; the encryption information comprises identification information and the key information;

the encrypted information sending module is used for sending encrypted information to the cloud end through the gateway;

and the encryption communication module is used for carrying out encryption communication with the cloud end through the gateway according to the identification information and the key information.

Optionally, the encrypted information includes identification information and key information, the identification information includes first identification information and second identification information, and the encrypted information generating module includes:

a first identification information generation submodule for using the card number and the random string as the first identification information; and the second identification information generation submodule is used for acquiring the own equipment number and generating the second identification information by adopting the equipment number.

Optionally, the encrypted information sending module includes:

the access request sending submodule is used for sending an access request to the cloud end through the gateway; the access request includes encryption information.

Optionally, the encryption communication module comprises:

the first data encryption submodule is used for encrypting the first data by adopting the key information; the first data includes the first identification information;

the first data sending submodule is used for sending the encrypted first data to the cloud end through the gateway;

the second data receiving submodule is used for receiving second data sent by the cloud end through the gateway;

and the second data decryption submodule is used for decrypting the second data by adopting the key information.

the encrypted information generating module is used for generating encrypted information; the encryption information comprises identification information and the key information;

the first identification information generation submodule is used for acquiring a card number of a built-in electronic card and generating first identification information by adopting the card number;

and the second identification information generation submodule is used for acquiring the own equipment number and generating the second identification information by adopting the equipment number.

Optionally, the first identification information generation sub-module includes:

and the first identification information generating unit is used for generating a random string and adopting the card number and the random string as the first identification information.

Optionally, the encrypted information sending module includes:

Optionally, the encryption communication module includes, for example:

The embodiment of the application further discloses a communication device, is applied to the high in the clouds, the high in the clouds is connected with the gateway, the gateway is connected with terminal, the device includes:

the encrypted information receiving module is used for receiving the encrypted information sent by the terminal through the gateway; the encryption information comprises identification information and key information, and the key information is generated by the terminal;

the encrypted information storage module is used for storing the identification information and the key information according to a key value pair form;

and the encryption communication module is used for carrying out encryption communication with the terminal through the gateway according to the identification information and the key information.

Optionally, the encryption information receiving module includes:

an access request receiving submodule, configured to receive, through the gateway, an access request sent by the terminal; the access request includes encryption information.

Optionally, the identification information includes first identification information and second identification information; the encrypted information storage module includes:

the first key-value pair storage submodule is used for storing the cloud by taking the first identification information as a key and the second identification information as a value to obtain a first key-value pair;

and the second key-value pair storage submodule is used for storing the cloud by taking the second identification information as a key and the key information as a value to obtain a second key-value pair.

Optionally, the encryption communication module comprises:

the first data receiving submodule is used for receiving first data sent by the terminal through the gateway; the first data comprises first identification information, and the first data is encrypted by the terminal by adopting key information;

the second identification information query submodule is used for searching second identification information corresponding to the first identification information from the first key value pair;

the key information inquiry submodule is used for searching the key information corresponding to the second identification information from the second key value pair;

and the first data decryption submodule is used for decrypting the first data by adopting the key information corresponding to the second identification information.

Optionally, the encryption communication module comprises:

the key information inquiry submodule is used for searching key information corresponding to the second identification information from the second key value pair;

the second data encryption submodule is used for encrypting second data by the cloud side through the key information;

and the second data sending submodule is used for sending the encrypted second data to the terminal through the gateway.

Optionally, the identification information includes third identification information; the third identification information comprises a card number; the encrypted information storage module includes:

and the third key value pair storage submodule is used for storing the third identification information as a key and the key information as a value to obtain a third key value pair.

Optionally, the encryption communication module comprises:

the first data receiving submodule is used for receiving first data sent by the terminal through the gateway; the first data comprises third identification information, and the first data is encrypted by the terminal by adopting key information;

the key information inquiry submodule is used for searching key information corresponding to the third identification information from the third key value pair;

and the first data decryption submodule is used for decrypting the first data by adopting the key information corresponding to the third identification information.

Optionally, the encryption communication module comprises:

the second data encryption submodule is used for searching key information corresponding to the third identification information from the third key value pair and encrypting second data by adopting the key information;

The embodiment of the present application further discloses an electronic device, which includes: a processor, a memory and a computer program stored on the memory and capable of running on the processor, the computer program, when executed by the processor, implementing the steps of any of the communication methods.

The embodiment of the application also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and the computer program is used for realizing the steps of any communication method when being executed by a processor.

The embodiment of the application has the following advantages:

according to the communication method and the communication device, the terminal generates the encryption information comprising the identification information and the key information, and the gateway sends the encryption information to the cloud terminal, so that the terminal and the cloud terminal can conduct encryption communication through the identification information and the key information. Under the condition that secret key burning of the terminal is not needed, the safety of communication between the terminal and the cloud end is guaranteed.

Drawings

FIG. 1 is a flowchart of a secure communication method based on burning keys according to the present application;

FIG. 2 is a flow chart of steps of a first embodiment of a communication method of the present application;

fig. 3 is a flowchart illustrating steps of a second embodiment of a communication method according to the present application;

fig. 4 is a flowchart of the steps of a third embodiment of a communication method of the present application;

FIG. 5 is a diagram of an application scenario of an embodiment of a communication method of the present application;

fig. 6 is a block diagram of a first embodiment of a communication device according to the present application;

fig. 7 is a block diagram of a second embodiment of a communication apparatus according to the present application;

fig. 8 is a block diagram of a third embodiment of a communication device according to the present application.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

Referring to fig. 1, a flowchart of a secure communication method based on a burning key according to the present application is shown, and is applied to secure communication between a device and a network platform. As shown in fig. 1, the process of the device performing secure communication with the network platform is as follows:

1) the device and the network platform are communicated, and the device acquires verification information aiming at the device from the registration server; 2) registering equipment and verification information to the network platform through a registration server; 3) after the registration is completed, the network platform may return registered authentication information, such as a triple (including a product name, a device name, and a device key), to the registered device through the registration server; 4) secure communication between the device and the network platform may be guaranteed by the returned triplets.

In the above process, in order to avoid unauthorized connection of the network platform and implement data security communication on the service, the network platform must provide a triple when being connected with the device, that is, the device registers at the cloud (that is, the network platform), the generated registered triple needs to be burned into the device, and the cloud and the device perform symmetric encryption through the device key to perform data transmission. The device needs to be registered at the cloud end, so that the condition that more platform services are used after the non-platform device is on the cloud is prevented; moreover, since the triplet needs to be burned into the device, a burning error, such as a phenomenon that two devices burn the same device key, is easily caused in the burning process.

Based on the above problems, referring to fig. 2, a flowchart of a first communication method embodiment of the present application is shown, and is applied to a terminal, where the terminal is connected to a gateway, and the gateway is connected to a cloud, and specifically, the method may include the following steps:

step 201, the terminal acquires a card number of a built-in electronic card and generates a random string;

in an embodiment of the present application, the terminal may have a built-in electronic card, and since the built-in electronic card may have a phenomenon of one card with multiple numbers, the card number of the built-in electronic card may be obtained, so that the terminal may generate the encryption information corresponding to the card number of the electronic card according to the card number of the terminal.

In practical applications, the terminal obtains the card number of its electronic card, and there may be a phenomenon that one terminal has one card with one number or one terminal has multiple cards with one number, and the card number may be used to represent the identity information of the communication terminal. After obtaining one card number or a plurality of card numbers of the self built-in electronic card, one or a plurality of random strings aiming at the one or the plurality of card numbers can be generated, so that the terminal generates the encryption information according to the random string corresponding to the card number. Specifically, the generated random string may be a number, a character, or a combination of a number and a character, which is not limited in this embodiment of the present invention.

Step 202, the terminal generates encryption information by adopting the card number and the random string; the encryption information comprises identification information and key information;

the terminal and the cloud terminal are in secure communication, in order to avoid registering to the cloud terminal and burning the triple to the terminal, the terminal can actively generate encryption information aiming at the terminal by adopting a card number of the terminal and a random string corresponding to the card number, and the encryption information can comprise identification information and secret key information. The identification information can be used for identifying the identity of the terminal, so that the cloud can make sure the identity of the terminal communicating with the cloud under the condition that the terminal does not need to register to the cloud; the key information can be used for encrypting and decrypting transmitted data, so that the safe communication between the terminal and the cloud can be ensured under the condition that the triple is not burnt to the terminal.

It should be noted that, the time when the terminal generates the key information may be generated at regular time according to a preset time interval, or may be when the terminal accesses the gateway, which is not limited in this embodiment of the application; the key information generated by the terminal may be a fixed key or a random key, and may also include an encryption manner, for example, an asymmetric encryption manner or a symmetric encryption manner is adopted, which is not limited in this embodiment of the present application.

In an embodiment of the present application, the identification information may include first identification information, and the first identification information may be specifically generated through the following steps:

in sub-step S11, the terminal uses the card number and the random string as the first identification information.

After the terminal acquires one or more card numbers of the built-in electronic card and one or more random strings corresponding to the acquired card numbers, the card numbers and the corresponding random strings can be used as first identification information for identifying the card numbers of the terminal, so that the security of the card numbers of the terminal can be increased through the random strings while the card numbers of the terminal are identified, and the probability that the identity of the terminal is broken by a non-good network platform is reduced.

In an embodiment of the present application, the identification information may further include second identification information, and the second identification information may be specifically generated through the following steps:

substep S12, the terminal obtains its own device number;

the identification information for identifying the identity of the terminal includes first identification information for identifying the number of the terminal card, and the terminal can also acquire the own device number so as to generate second identification information according to the own device number.

And a substep S13, the terminal generating the second identification information by using the device number.

After the terminal acquires the device number of the terminal, the acquired device number can be adopted to generate second identification information, and an object identified by the second identification information can be the terminal device, so that the cloud end can clearly identify the specific identity of the terminal communicating with the terminal device.

Step 203, the terminal sends the encryption information to the cloud through the gateway;

in order to realize the safe communication between the terminal and the cloud under the condition that the registration to the cloud and the burning of the triple to the terminal are not needed, after the terminal generates the encrypted information, the terminal needs to communicate with the cloud through the gateway, and at the moment, the terminal can send the encrypted information to the cloud to be communicated through the gateway, so that the specific identity of the terminal communicated with the terminal is determined by the cloud.

In one embodiment of the present application, step 203 may comprise the sub-steps of:

substep S21, the terminal sends an access request to the cloud through the gateway; the access request includes encryption information.

The terminal needs to send the encrypted information to the cloud end to be communicated, at the moment, the terminal can send an access request to the cloud end through the gateway, and the encrypted information is carried in the access request, so that the terminal can establish a communication relation with the cloud end and transmit the encrypted information at the same time. The terminal, the gateway connected with the terminal and the cloud connected with the gateway can be located in the same virtual network, and the virtual network can be constructed by the gateway through a directional network of the cloud, so that data communication between the terminal and the gateway can flow through the cloud according to the directional network, and communication connection between the terminal and the cloud is successfully established.

In an embodiment of the application, the communication connection between the terminal and the cloud may be established in such a manner that the terminal generates an access request for a virtual network and sends the access request to a virtual gateway that creates the virtual network; at this time, after receiving the access request, the virtual gateway may forward the access request to the cloud; the cloud end can verify whether the terminal is allowed to access the network or not when receiving the access request, and if the terminal is allowed to access the network, the cloud end can generate a network access response allowing the network access and send the network access response to the virtual gateway; the virtual gateway forwards the network access response allowing network access to the terminal, and the terminal can successfully access the virtual network finally according to the network access response.

And 204, the terminal is in encrypted communication with the cloud terminal through the gateway according to the identification information and the key information.

In an embodiment of the application, while the terminal successfully accesses the virtual network constructed by the virtual gateway through the directional network of the cloud, the cloud may receive encryption information generated by the terminal, where the encryption information may include identification information for identifying the terminal identity and key information for encrypting and decrypting the transmitted data, that is, under the condition that the terminal identity and the key information are already clear at the cloud, the terminal may perform encryption communication with the cloud through the virtual network created by the gateway according to the identification information and the key information corresponding to the identification information. The method and the device realize the safe communication between the terminal and the cloud under the condition that the registration to the cloud and the burning of the triple to the terminal are not needed.

It should be noted that, the terminal performs encryption communication with the cloud terminal through the gateway, and the encryption mode may be an asymmetric encryption mode, for example: RSA, Elgamal, ESA, knapsack algorithm, Rabin, D-H, ECC, etc., and may also be symmetric encryption schemes such as: aes, 3DES, etc., as the embodiments of the present application are not limited in this respect.

In one embodiment of the present application, step 204 may include the following sub-steps:

a substep S31, the terminal encrypting the first data using the key information; the first data includes the first identification information;

in an embodiment of the application, the terminal and the cloud perform encrypted communication, and in a first case, when the terminal is used as a sender of the encrypted communication, the first data may be symmetrically encrypted or asymmetrically encrypted by using key information of a random key or a fixed key, so as to ensure security of the data in a communication process. In order to make the specific identity of the terminal and the corresponding key information clear at the cloud end during encrypted communication, the terminal can carry first identification information for identifying the identity of the terminal in the transmitted first data.

And in substep S32, the terminal sends the encrypted first data to the cloud through the gateway.

In a virtual network created by a virtual gateway, a terminal can send first data encrypted according to key information of a random key or a fixed key to a cloud end through the gateway; and after the cloud receives the encrypted first data, the cloud can acquire first identification information carried in the first data, search key information corresponding to the first identification information, decrypt the encrypted first data by adopting the key information, obtain decrypted first data, and ensure safe communication between the terminal and the cloud.

Substep S33, the terminal receives, through the gateway, second data sent by the cloud;

in an embodiment of the application, in a virtual network created by a gateway, a terminal and a cloud terminal perform encrypted communication, and in a second case, when the terminal is used as a receiver of the encrypted communication, second data sent from the cloud terminal can be received through the gateway, where the second data is data encrypted by the cloud terminal according to a key corresponding to terminal identity information.

And a substep S34, the terminal decrypts the second data using the key information.

After the terminal receives the encrypted second data, the encrypted second data can be subjected to symmetric decryption or asymmetric decryption by adopting key information of a random key or a fixed key, so that the decrypted second data is obtained, and the secure communication between the terminal and the cloud is ensured.

The communication method provided by the embodiment of the application is applied to a terminal, the identification information and the key information aiming at the terminal are generated through the terminal, the identification information and the key information are sent to the cloud end through the gateway in the virtual network, encryption transmission is carried out according to the identification information and the key information and the cloud end, under the condition that the cloud end is not required to be registered, the identity of the terminal communicated with the cloud end can be made clear by the cloud end, and under the condition that the triple is not burnt to the terminal, safe communication between the terminal and the cloud end can be guaranteed.

Referring to fig. 3, a flowchart illustrating steps of a second communication method embodiment of the present application is shown, where the second communication method embodiment is applied to a terminal, the terminal is connected to a gateway, and the gateway is connected to a cloud, and specifically, the second communication method embodiment of the present application may include the following steps:

step 301, the terminal generates encryption information; the encryption information comprises identification information and key information;

the terminal and the cloud end are in secure communication, in order to avoid registering to the cloud end and burning the triple to the terminal, the terminal can actively generate encryption information aiming at the terminal, and the encryption information can comprise identification information and secret key information. The identification information can be used for identifying the identity of the terminal, so that the cloud can make sure the identity of the terminal communicating with the cloud under the condition that the terminal does not need to register to the cloud; the key information can be used for encrypting and decrypting transmitted data, so that the safe communication between the terminal and the cloud can be ensured under the condition that the triple is not burnt to the terminal.

the terminal acquires a card number of a built-in electronic card;

the identification information for identifying the identity of the terminal may include first identification information, the terminal may have a built-in electronic card, and since the built-in electronic card may have a phenomenon of one card with multiple numbers, the card number of the built-in electronic card may be acquired at this time, so that the terminal may generate the first identification information according to the card number of the electronic card itself.

The terminal acquires the card number of the electronic card, at the moment, the phenomenon that one terminal has one card with one number or one terminal has multiple cards with multiple numbers can exist, the terminal can generate first identification information by adopting the acquired card number, and an object identified by the first identification information can be the card number of the terminal, so that the cloud end can clearly identify the identity information of the terminal communicating with the terminal.

Specifically, the step of generating the first identification information by the terminal using the card number may be as follows:

the terminal generates a random string;

after acquiring the card number or the card numbers of the electronic card built in the terminal, the terminal can also generate one or more random strings aiming at the card number or the card numbers so as to generate the first identification information by adopting the random string corresponding to the card number. Specifically, the generated random string may be a number, a character, or a combination of a number and a character, which is not limited in this embodiment of the present invention.

the terminal acquires the own equipment number;

Step 302, the terminal sends the generated encryption information to the cloud through the gateway;

In one embodiment of the present application, step 302 may include the steps of:

And step 303, the terminal is in encrypted communication with the cloud according to the identification information and the key information.

In one embodiment of the present application, step 303 may include the steps of:

The terminal receives second data sent by the cloud end through the gateway;

And the terminal decrypts the second data by adopting the key information.

Referring to fig. 4, a flowchart of a third step of the communication method according to the third embodiment of the present application is shown, and is applied to a cloud, where the cloud is connected to a gateway, and the gateway is connected to a terminal, where the method specifically includes the following steps:

step 401, the cloud receives encryption information sent by the terminal through the gateway; the encryption information comprises identification information and key information, and the key information is generated by the terminal;

the cloud end can receive the encryption information sent by the terminal through the gateway, and the encryption information can comprise identification information used for identifying the identity of the terminal and key information used for encrypting and decrypting transmitted data, so that under the condition that the cloud end does not have terminal registration information, namely under the condition that the terminal is not registered and a triple is not burnt, the cloud end can adopt the received identification information and the received key information to carry out safe communication with the terminal. The key information received by the cloud may be a random key or a fixed key.

In one embodiment of the present application, step 401 may include the following sub-steps:

substep S41, the cloud receives, through the gateway, an access request sent by the terminal; the access request includes encryption information.

The cloud end needs to receive the encrypted information sent by the terminal, and at the moment, the cloud end can respond to an access request which is sent by the gateway receiving terminal and carries the encrypted information, so that the communication relation with the terminal can be established while the access request of the terminal is responded, and the encrypted information is received. The terminal, the gateway connected with the terminal and the cloud connected with the gateway can be located in the same virtual network, and the virtual network can be constructed by the gateway through a directional network of the cloud, so that data communication between the terminal and the gateway can flow through the cloud according to the directional network, and communication connection between the terminal and the cloud is successfully established.

In an embodiment of the application, the communication connection between the cloud and the terminal may be established in a manner that the cloud receives an access request forwarded by the gateway, where the access request may be a request generated by the terminal for accessing the virtual network, and the cloud may verify whether the terminal is allowed to access the network, and if the verification passes, the cloud may generate an access response allowing the terminal to access the network and send the access response to the virtual gateway; the virtual gateway forwards the network access response allowing network access to the terminal, and the terminal can successfully access the virtual network finally according to the network access response.

Step 402, the cloud stores the identification information and the key information according to a key value pair form;

the cloud end responds to an access request of the terminal for a virtual network, and after receiving the encryption information corresponding to the terminal, the cloud end can store the encryption information (including identification information and encryption information) according to a key value pair form, so that in the process of carrying out safe communication with the terminal, the cloud end can inquire identity information of the terminal and corresponding key information according to the stored key value pair, and encryption and/or encryption of transmission data are completed. It should be noted that, in the specific implementation, a preset statistics pool may be configured at the cloud, and relevant terminal information, that is, presentation information and encryption information, may be recorded and stored, and when the terminal device is an alarm device, manual intervention may also be adopted.

In one embodiment of the present application, in one case, the identification information includes first identification information and second identification information, and step 402 may include the following sub-steps:

in substep S51, the cloud uses the first identification information as a key and the second identification information as a value to store the key information to obtain a first key value pair;

when the identification information received by the cloud includes first identification information for identifying the terminal card number and second identification information for identifying the terminal device, the cloud can store the first identification information as a key and the second identification information as a value to obtain a first key value pair; the card number of the electronic card built in the communication terminal and the random string corresponding to the card number can be used as keys, and the equipment number of the communication terminal is used as a value to be stored as a first key value pair, so that the terminal card number can be corresponding to the terminal equipment. Where the random string may be a number, a character, or a combination of numbers and characters.

And in substep S52, the cloud uses the second identification information as a key and stores the key information as a value to obtain a second key-value pair.

After the terminal card number and the terminal device are corresponded, the terminal can store the second identification information as a key and the key information as a value to obtain a second key value pair; that is, the communication terminal device number may be used as a key, and the key information corresponding to the terminal device number may be used as a value to be stored as a second key value pair, so as to correspond the terminal device to the key information.

In one embodiment of the present application, in another case, the identification information includes third identification information, the third identification information including a card number; step 402 may include the following sub-steps:

and in substep S53, the cloud uses the third identification information as a key and stores the key information as a value to obtain a third key value pair.

When the identification information received by the cloud only comprises third identification information for identifying the terminal card number, the cloud can store the third identification information as a key and the key information as a value to obtain a third key value pair; the card number of the electronic card built in the communication terminal can be used as a key, and the corresponding key information can be used as a value to be stored as a third key value, so that the terminal card number and the key information can be directly corresponding, and the corresponding key information can be directly inquired according to the terminal card number under the condition that the terminal equipment information is not acquired. It should be noted that the key of the third key value pair only includes the card number information of the communication terminal, and it is ensured that the secure communication between the cloud and the terminal can also be performed by searching the key information corresponding to the card number through the third key value pair without including the random string.

And step 403, the cloud end performs encrypted communication with the terminal through the gateway according to the identification information and the key information.

In an embodiment of the application, after the cloud stores the identification information and the key information for the terminal in a key-value pair form, the cloud may perform encrypted communication with the cloud through a virtual network created by a gateway according to the stored content of the key-value pair. Namely, under the condition that the terminal does not need to be registered to the cloud and the triple is burned to the terminal, the cloud can make sure the identity of the terminal and the corresponding key information, and safe communication with the terminal is achieved.

In an embodiment of the present application, in a case that the identification information received by the cloud includes the first identification information and the second identification information, step 403 may include the following sub-steps:

substep S61, the cloud receives, through the gateway, the first data sent by the terminal; the first data comprises first identification information, and the first data is encrypted by the terminal by adopting key information;

in an embodiment of the application, in a virtual network created by a gateway, the cloud and a terminal perform encrypted communication, when the cloud is used as a receiver of the encrypted communication, first data sent from the terminal can be received through the gateway, where the first data includes first identification information for identifying a terminal card number, and the first data is data obtained by encrypting the terminal by using key information of a random key or a fixed key.

In sub-step S62, the cloud searches for second identification information corresponding to the first identification information from the first key-value pair;

the cloud end can acquire first identification information in the first data after receiving the encrypted first data, and queries corresponding second identification information in the stored first key value pair by adopting the first identification information so as to query corresponding key information in the second key value pair according to the queried second identification information.

In sub-step S63, the cloud searches key information corresponding to the second identification information from the second key value pair;

after querying the second identification information corresponding to the first identification information, the cloud end may query the corresponding key information according to the queried second identification information in the second key value pair, so as to decrypt the encrypted first data according to the queried key information. The queried key information may include a fixed key or a random key, and may also include an asymmetric encryption manner or a symmetric encryption manner.

Substep S64, the cloud end decrypting the first data by using key information corresponding to the second identification information;

after the cloud end inquires the key information corresponding to the second identification information, the encrypted first data can be subjected to symmetric decryption or asymmetric decryption by adopting the key information of the random key or the fixed key, so that the decrypted first data is obtained, and the safe communication between the cloud end and the terminal is ensured.

In sub-step S65, the cloud searches key information corresponding to second identification information from the second key value pair;

in an embodiment of the application, in a virtual network created by a gateway, a cloud and a terminal perform encrypted communication, and when the cloud is used as a sender of the encrypted communication, the cloud can determine that a certain terminal is a receiver of the encrypted communication, and determine terminal device information of the receiver, namely second identification information; at this time, the cloud end can directly inquire the key information corresponding to the second identification information in the second key value pair so as to encrypt the second data according to the key information. The queried key information may include a fixed key or a random key, and may also include an asymmetric encryption manner or a symmetric encryption manner.

Substep S66, the cloud end encrypting the second data by using the key information;

after the cloud acquires the key information corresponding to the terminal serving as the receiver, the cloud can perform asymmetric encryption or asymmetric decryption on the second data according to the acquired key information and a random key or a fixed key, so as to ensure the security of the data in the communication process.

And a substep S67, sending, by the cloud, the encrypted second data to the terminal through the gateway.

In a virtual network created by a virtual gateway, the cloud end can send second data encrypted according to key information of a random key or a fixed key to the terminal through the gateway; and after the terminal receives the encrypted second data, the terminal can directly decrypt the encrypted second data by adopting the key information aiming at the terminal to obtain the decrypted second data, so that the safe communication between the terminal and the cloud end is ensured.

In an embodiment of the present application, in a case that the identification information received by the cloud includes third identification information, step 403 may include the following sub-steps:

substep S68, the cloud receives, through the gateway, the first data sent by the terminal; the first data comprises third identification information, and the first data is encrypted by the terminal by adopting key information;

in an embodiment of the application, in a virtual network created by a gateway, the cloud and a terminal perform encrypted communication, when the cloud is used as a receiver of the encrypted communication, first data sent from the terminal can be received through the gateway, where the first data includes third identification information for identifying a terminal card number, and the first data is data obtained by encrypting the terminal by using key information of a random key or a fixed key.

In sub-step S69, the cloud searches key information corresponding to the third identification information from the third key value pair;

the cloud end can acquire third identification information in the first data after receiving the encrypted first data, directly queries corresponding key information by adopting the third identification information in the stored third key value pair, and decrypts the encrypted first data according to the queried key information. The queried key information may include a fixed key or a random key, and may also include an asymmetric encryption manner or a symmetric encryption manner.

Substep S70, the cloud end decrypting the first data by using key information corresponding to the third identification information;

after the cloud terminal queries the key information corresponding to the third identification information, the encrypted first data can be subjected to symmetric decryption or asymmetric decryption by using the key information of the random key or the fixed key, so that the decrypted first data is obtained, and the secure communication between the cloud terminal and the terminal is ensured.

In the substep S71, the cloud searches key information corresponding to the third identification information from the third key value pair, and encrypts second data by using the key information;

in an embodiment of the application, in a virtual network created by a gateway, a cloud and a terminal perform encrypted communication, and when the cloud is used as a sender of the encrypted communication, the cloud can determine that a certain terminal is a receiver of the encrypted communication, and determine terminal card number information, namely third identification information, of the receiver; at this time, the cloud end can directly inquire the key information corresponding to the third identification information in the third key value pair, and perform asymmetric encryption or asymmetric decryption on the second data according to the acquired key information and the random key or the fixed key, so as to ensure the security of the data in the communication process.

And a substep S72, sending, by the cloud, the encrypted second data to the terminal through the gateway.

The communication method provided by the embodiment of the application is applied to a cloud end, the cloud end receives identification information and key information aiming at a terminal through a gateway in a virtual network, stores the identification information and the key information according to a key value pair form, and conducts encryption transmission with the terminal according to the identification information and the key information, under the condition that the terminal is not registered, the cloud end can clearly identify the identity of the terminal communicating with the cloud end, and under the condition that the terminal does not burn a triple, the safe communication between the cloud end and the terminal can be guaranteed.

Referring to fig. 5, an application scenario diagram of an embodiment of a communication method of the present application is shown, and is applied to a scenario in which a terminal performs secure communication with an aristoloc internet of things platform without burning a triplet to the terminal, and relates to a terminal device, iotx-cellnet-nms (which refers to a gateway system of an internet of things card virtual core network) and a CMP/LP (which refers to an aristoloc internet of things platform), and also relates to a virtual network created by the iotx-cellnet-nmsgenin according to a directional network of the CMP/LP.

As shown in fig. 5, the secure communication between the terminal and the aricloud internet of things platform may include:

1) in the virtual network, a terminal is connected with a gateway, and the gateway is connected with an Ali cloud platform; wherein, the short connection is kept between the gateway and the terminal, and the long connection is kept between the gateway and the Aliyun platform.

2) The terminal may generate a random string with a random key: the random key may be a key conforming to the AES128 Standard (Advanced Encryption Standard in cryptography, 128 stands for key length); the terminal may take the card number + random string a as the key1 while generating the random string a.

3) The terminal may send the key and the key1 to the cloud when accessing the gateway, and the cloud may store in the form of kv (key-value, key-value pair) as follows:

key 1: card number + random string value 1: a device number;

key 2: device number value 2: a key.

The device number of the terminal may be generated by the terminal and sent to the cloud, or the cloud may be generated when the response terminal accesses the gateway, which is not limited in this embodiment of the application.

4) The terminal can encrypt data in an asymmetric encryption mode and transmit the data to the iotx-cellnet-nms, the iotx-cellnet-nms forwards the data to the cloud, and the terminal and the cloud transmit the data in an encryption and decryption mode through the secret key every time, so that data safety is guaranteed.

In the embodiment of the application, the generated random string can ensure that the identity of the terminal equipment cannot be identified by a non-good platform to cause the need of updating the key under the conditions of not carrying out cloud registration and not carrying out firmware burning of the triples; the generated random key can ensure the safe communication between data; the credibility of the equipment can be ensured through the random string when the identity of the terminal equipment is not clear.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.

Referring to fig. 6, a block diagram of a first communication device according to an embodiment of the present application is shown, and is applied to a terminal, where the terminal is connected to a gateway, and the gateway is connected to a cloud, where the first communication device specifically includes the following modules:

a random string generating module 601, configured to obtain a card number of a built-in electronic card and generate a random string;

an encrypted information generating module 602, configured to generate encrypted information by using the card number and the random string; the encryption information comprises identification information and key information;

an encrypted information sending module 603, configured to send the encrypted information to the cloud through the gateway;

and the encryption communication module 604 is configured to perform encryption communication with the cloud terminal through the gateway according to the identification information and the key information.

In an embodiment of the present application, the identification information includes first identification information and second identification information, and the encrypted information generating module 602 may include the following sub-modules:

a first identification information generation submodule for using the card number and the random string as the first identification information;

In an embodiment of the present application, the encrypted information sending module 603 may include the following sub-modules:

In one embodiment of the present application, the encryption communication module 604 may include the following sub-modules:

Referring to fig. 7, a block diagram of a second embodiment of the communication device in the present application is shown, and is applied to a terminal, where the terminal is connected to a gateway, and the gateway is connected to a cloud, and specifically includes the following modules:

an encrypted information generating module 701 configured to generate encrypted information; the encryption information comprises identification information and key information;

an encrypted information sending module 702, configured to send the encrypted information to the cloud through the gateway;

and the encryption communication module 703 is configured to perform encryption communication with the cloud terminal through the gateway according to the identification information and the key information.

In an embodiment of the present application, the identification information includes first identification information and second identification information, and the encrypted information generating module 701 may include the following sub-modules:

In an embodiment of the present application, the first identification information generation sub-module may include the following units:

In an embodiment of the present application, the encrypted information sending module 702 may include the following sub-modules:

In an embodiment of the present application, the encryption communication module 703 may include the following sub-modules:

Referring to fig. 8, a block diagram of a third embodiment of a communication device according to the present application is shown, and is applied to a terminal, where the terminal is connected to a gateway, and the gateway is connected to a cloud, and specifically includes the following modules:

an encrypted information receiving module 801, configured to receive, through the gateway, encrypted information sent by the terminal; the encryption information comprises identification information and key information, and the key information is generated by the terminal;

an encrypted information storage module 802, configured to store the identification information and the key information in a key-value pair form;

and an encryption communication module 803, configured to perform encryption communication with the terminal through the gateway according to the identifier information and the key information.

In an embodiment of the present application, the encrypted information receiving module 801 may include the following sub-modules:

In one embodiment of the present application, the identification information includes first identification information and second identification information; the encryption information storage module 802 may include the following sub-modules:

In one embodiment of the present application, the encryption communication module 803 may include the following sub-modules:

In one embodiment of the present application, the identification information includes third identification information; the third identification comprises a card number; the encryption information storage module 802 may include the following sub-modules:

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

An embodiment of the present application further provides an electronic device, including:

the communication method comprises a processor, a memory and a computer program which is stored in the memory and can run on the processor, wherein when the computer program is executed by the processor, each process of the communication method embodiment is realized, the same technical effect can be achieved, and the details are not repeated here to avoid repetition.

The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the processes in the communication method embodiment are implemented, and the same technical effect can be achieved.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

As will be appreciated by one of skill in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The foregoing detailed description is directed to a communication method and a communication apparatus provided in the present application, and specific examples are applied herein to illustrate the principles and implementations of the present application, which are merely provided to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A communication method is applied to a terminal, the terminal is connected with a gateway, and the gateway is connected with a cloud terminal, and the method comprises the following steps:

2. The method of claim 1, wherein the identification information comprises first identification information, and wherein the terminal generates the identification information using the card number and the random string, comprising:

3. The method of claim 2, wherein the identification information further comprises second identification information, and wherein the terminal generates the identification information comprising:

the terminal acquires the own equipment number;

4. The method of claim 1, wherein the terminal sends encryption information to the cloud via the gateway, and wherein the sending comprises:

5. The method according to claim 2, wherein the terminal performs encrypted communication with the cloud terminal through the gateway according to the identification information and the key information, and comprises:

6. The method according to claim 2, wherein the terminal performs encrypted communication with the cloud terminal through the gateway according to the identification information and the key information, and comprises:

the terminal receives second data sent by the cloud end through the gateway;

and the terminal decrypts the second data by adopting the key information.

7. A communication method is applied to a terminal, the terminal is connected with a gateway, and the gateway is connected with a cloud terminal, and the method comprises the following steps:

8. A communication method is applied to a cloud end, the cloud end is connected with a gateway, and the gateway is connected with a terminal, and the method comprises the following steps:

9. The method of claim 8, further comprising:

10. The method of claim 9, wherein the identification information comprises first identification information and second identification information; the cloud stores the identification information and the key information according to a key-value pair form, and comprises the following steps:

11. The method of claim 10, wherein the cloud performs encrypted communication with the terminal through the gateway according to the identification information and the key information, and comprises:

12. The method of claim 10, wherein the cloud performs encrypted communication with the terminal through the gateway according to the identification information and the key information, and comprises:

the cloud end encrypts second data by adopting the key information;

13. The method of claim 9, wherein the identification information comprises third identification information; the third identification information comprises a card number; the cloud stores the identification information and the key information according to a key-value pair form, and comprises the following steps:

14. The method of claim 13, wherein the cloud performs encrypted communication with the terminal through the gateway according to the identification information and the key information, and comprises:

15. The method of claim 14, wherein the cloud performs encrypted communication with the terminal through the gateway according to the identification information and the key information, and comprises:

16. The method of claim 8, wherein the cloud receives, through the gateway, the encrypted information sent by the terminal, and comprises:

17. A communication apparatus, applied to a terminal, the terminal being connected to a gateway, the gateway being connected to a cloud, the apparatus comprising:

18. The apparatus of claim 17, wherein the identification information comprises first identification information, and wherein the encryption information generating module comprises:

the identification information further includes second identification information, and the encrypted information generation module includes:

19. The apparatus of claim 17, wherein the identification information comprises first identification information, and wherein the encryption information sending module comprises:

20. The apparatus of claim 17, wherein the identification information comprises first identification information, and wherein the encryption communication module comprises:

21. A communication apparatus, applied to a terminal, the terminal being connected to a gateway, the gateway being connected to a cloud, the apparatus comprising:

the encrypted information generating module is used for generating encrypted information;

the encrypted information sending module is used for sending encrypted information to the cloud end through the gateway; the encryption information comprises identification information and the key information;

22. A communication apparatus, applied to a cloud, the cloud being connected to a gateway, the gateway being connected to a terminal, the apparatus comprising:

23. The apparatus of claim 22, wherein the encryption information receiving module comprises:

24. The apparatus of claim 22, wherein the identification information comprises first identification information and second identification information; the encryption information storage module includes:

25. The apparatus of claim 22, wherein the encryption communication module comprises:

26. The apparatus of claim 22, wherein the encryption communication module comprises:

27. The apparatus of claim 22, wherein the identification information comprises third identification information; the third identification information comprises a card number; the encryption information storage module includes:

28. The apparatus of claim 22, wherein the encryption communication module comprises:

29. The apparatus of claim 22, wherein the encryption communication module comprises:

30. An electronic device, comprising:

processor, memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the communication method according to any of claims 1 to 6 or 7 or 8 to 16.

31. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the communication method according to one of claims 1 to 6 or 7 or 8 to 16.